A systematic review of homomorphic encryption and its contributions in healthcare industry

Cloud computing and cloud storage have contributed to a big shift in data processing and its use. Availability and accessibility of resources with the reduction of substantial work is one of the main reasons for the cloud revolution. With this cloud computing revolution, outsourcing applications are in great demand. The client uses the service by uploading their data to the cloud and finally gets the result by processing it. It benefits users greatly, but it also exposes sensitive data to third-party service providers. In the healthcare industry, patient health records are digital records of a patient’s medical history kept by hospitals or health care providers. Patient health records are stored in data centers for storage and processing. Before doing computations on data, traditional encryption techniques decrypt the data in their original form. As a result, sensitive medical information is lost. Homomorphic encryption can protect sensitive information by allowing data to be processed in an encrypted form such that only encrypted data is accessible to service providers. In this paper, an attempt is made to present a systematic review of homomorphic cryptosystems with its categorization and evolution over time. In addition, this paper also includes a review of homomorphic cryptosystem contributions in healthcare.


Introduction
Encryption approaches usually do not allow processing on encrypted data which implies every time data are processed in its original form. On the other hand, homomorphic encryption allows computation on encrypted data and provides encrypted results to the user. Homomorphic encryption not only allows the processing of encrypted data but also preserves privacy in the process. Classic public-key encryption consists of three algorithms: Key generation, Encryption, and Decryption; however, in addition to these three conventional approaches, a homomorphic encryption property is required. Homomorphic property ε has an efficient algorithm Eval ε with input as p k encryption B Kundan Munjal kundanmunjal@gmail.com 1 key, C is circuit generated from set C ε and ciphertexts C p = (c p1 , c p2 , ....c pt ) encrypted under public key p k then Eval ε ( p k , C, C p ) encrypts C(m 1 , m 2 , ...., m t ) under p k where C(m 1 , m 2 , ...., m t ) is output of C on inputs (m 1 , m 2 , ...., m t ). Consider a scenario with respect to healthcare where a doctor or patient send sensitive information to cloud for predicting some results as illustrated in Fig. 1.
• Step 1: Client (Patient or Doctor) sends data to third party service provider for performing a query/operation. Before sending, client encrypts the data. • Step 2: The client then asks the cloud service provider to perform a certain function on the data and provide the results. • Step 3: Cloud service provider then performs operations using homomorphic encryption property with some function f(). Noise is produced with arbitrary large number of operations. Every addition operation adds to the noise, and every multiplication operation double the noise. High computation on encrypted data results in excessive noise and there are several noise reduction methods. One of the most popular methods are bootstrapping and squashing. Both of these methods are a self-reliant process that progresses without external help. Modulus switching is another prominent strategy for achieving better asymptotic performance than bootstrapping. • Step 4: Encrypted results are provided to client. • Step 5: Client at its end computes decryption using decryption function and recovers f(message).
Dec(Enc( f (message))) = f (message) As a result no information is lost by getting encrypted results and decryption at its own end.

Motivation
Security is the key concern in cloud computing. Data provided to third-party service providers for processing and automation are a big issue. Every single business or organization wishes for the personal and sensitive data of the user. Every organization whether government, private, healthcare, academia requires data for policy formation, research purposes, planning new marketing strategies, or launching innovative products. Our main concern is with healthcare privacy as according to a survey by acumen research and consulting [1] healthcare cloud computing market will pass US$ 40 billion by the year 2026. Cloud computing in health care not only increases efficiency but also reduces cost. It is fast but protection of patient-sensitive data is the prime concern as it will not only promote patient confidence but also help in economic development. The digitization of a patient's medical records is supposed to improve care quality and efficiency while reducing costs. On the other hand, patient records include a considerable quantity of sensitive information. As a result, patients must be able to swiftly allow a range of medical affiliates to access their sensitive information using a simple, trustworthy, efficient, and secure approach. Therefore, it is vital to look at the usage of homomorphic encryption in healthcare and compare various homomorphic algorithms for illness prediction as well as data querying while protecting the privacy of patient information. The rest of this article is organized as follows: the next section contains review methods, planning, inclusion and exclusion criterion, research questions with motivation. The subsequent section compares and analyzes homomorphic encryption starting with partial and somewhat homomorphic encryption approaches followed by fully homomorphic encryption approaches. Techniques to fully homomorphic encryption were classified into four categories, with significant approaches in each category were compared. The next section focuses on homomorphic encryption in the healthcare sector. Homomorphic encryption techniques were compared on the basis of communication and computation overhead for securely identifying LQTC, cancer, average heart rate, car-diovascular problems, and a secure query generating system in healthcare. Finally, conclusion is presented.

Review method
The systematic review process may be considered as a means of solving a specific research problem. Presently no systematic reviews are focusing on homomorphic cryptosystems in healthcare and bioinformatics, therefore a systematic review research methodology was chosen. As a result, the systematic review aims to close this significant research gap. Kitchenham and Brereton [2] recommendations were selected to evaluate and explain all homomorphic encryption research questions. Our work is motivated by the revolutionary work of Craig Gentry [3,4]. Additionally, the fact that fully homomorphic encryption will act as a boon to the healthcare industry as it will preserve complete privacy of patient health data is also a path of motivation. Reviewing the processes outlined in Fig. 2 will give a basic understanding of the systematic review process: • Define research/review question: After reading various research/Journal articles and magazines and consulting with the expertise in the area of homomorphic encryption. Various research questions were identified. • Develop Review Protocol: Pre-define the kind of research that will be included, as well as the procedures for collecting, evaluating, and analysing data. • Identification of Research: After, Gentry's revolutionary work in homomorphic encryption, a number of homomorphic encryption methodologies in healthcare and bioinformatics were published. Despite tremendous research in homomorphic encryption there is no systematic review that considers quality of research and development. • Extraction: Relevant research articles were included and irrelevant were excluded. • Study Quality Assessment: Research articles were selected from popular repositories with keywords as homomorphic encryption to review basic homomorphic approaches. • Data Synthesis: This phase entailed presenting data in descriptive and graphical form. It will help to make the overall evaluation of outcomes easier. • Knowledge Translation: The findings and details of the review will be distributed to relevant target groups in a variety of media.

Review planning
The accomplishment behind each review depends on the selection of good-quality papers with unique work and genuine references. Thus, recognized journals, conference proceedings, and databases were investigated and explored in the area of homomorphic encryption. Scientific publications from Scopus, ACM Digital library, Springer Link, Sciencedirect, Google Scholar were selected based upon research questions given in Table 1. Fundamental studies in PHE, SWHE that function as cornerstones of homomorphic encryption were chosen first, followed by publications focused only on fully homomorphic encryption. A total of 1815 scientific papers were obtained using a database search with Keywords used for search as 'homomorphic encryption', and 'homomorphic encryption' or "medical" OR "healthcare" OR "bioinformatics" OR "EHR" OR "patient" OR "health" OR "medicine". Following the removal of duplicate documents, a total of 857 records were evaluated for title screening. After screening title total 194 articles were selected for abstract screening. In abstract screening 69 papers that were focused on homomorphic encryption based upon LWE, NTRU, Lattices, Integers, and HE papers focused mainly on healthcare and bioinformatics were selected. Other than that 19 important papers in PHE and SWHE (consider Fig. 4) were chosen for better understanding the concept of homomorphic encryption.

Inclusion and exclusion criteria
Scientific articles in journals, conferences proceedings, workshops published in the year range from Jan 2009 to Dec 2021 ( Fig. 3) were considered. Other than that, Partial and Somewhat homomorphic encryption papers of the old era were also included to better understand the concept of homomorphic encryption. All quality research publications of fully homomorphic encryption after the Gentry FHE scheme were considered. Articles that were focused on the applicability of homomorphic encryption other than healthcare or bioinformatics were excluded.

Research questions
Prime objective of this review writing is to categorize the current literature on homomorphic encryption with its contributions in health informatics. This research study's end result is the identification and examination of homomorphic encryption methods in healthcare. A set of research questions are formulated for this systematic literature review in Table  1.

Background
The medical services industry is experiencing a digital revolution. Modernizing medical care has prompted another time of computerized wellbeing and health. Medical services information is gathered from different sources (e.g., sensors associated with patients) and stored in unique medical services clouds (e.g., private and public clouds). Also, the volume of agglomerated medical information is sufficiently enormous to qualify as "Big Data". As cloud medical services become a well-defined component in the medical services industry, there is a more critical requirement for safely sharing patient data across such dissimilar medical services clouds. Besides, with Accountable Treatment Organizations (ACOs) (e.g., medical service providers, specialists, clinics, and protection providers) collaborate to provide top-notch care, with demand for constant availability across cloud medical services higher than at any point in recent times. A disentangled patient-driven paradigm, in which patients can switch suppliers while still providing their data in a useful way for better diagnosis and treatment, and, in the long term, for enhanced global health, is appealing. As of now, medical care suppliers who have delicate patient information in private medical care clouds across the globe are reluctant to share that data on account of security and protection issues. As medical care suppliers move to the local area and public cloud-based administrations, a requirement for a secure connection between divergent medical care cloud increments. Moreover, security guidelines forced by Health Insurance Portability and Accountability Act (HIPAA) [6] and Health Information Technology for Economic and Clinical Health (HITECH) [7] place a cumbersome undertaking on medical care Information Technology (IT) framework to be agreeable with protection and security guidelines. Moreover, with arising Internet of Things (IoT) market and its mix in the vast information cloud stage, there is expanded worry about security and protection with the medical services cloud worldview. Many researchers contributed with their study in homomorphic encryption. Homomorphic encryption has three types: partial homomorphic encryption (PHE), somewhat homomorphic encryption (SWHE), and fully homomorphic encryption Fig. 5. PHE supports either addition or multiplication i.e. one operation over encrypted data. SWHE supports a finite number of operations, i.e., it evaluates the circuit up to some limit or depth. FHE supports both operations infinite number of times over encrypted data.

Partial homomorphic encryption schemes
There are various partial homomorphic encryption schemes available. It all started by Rivest, Adleman and Dertouzos [8] with an asymmetric encrypted system that supports multiply operation over ciphertext and first time they uses the term "privacy homomorphism". It was based upon hardness of prime factoring problem. Goldwasser-Micali [9] proposed first scheme with semantic security proof. It was based upon the hardness of quadratic residuosity assumption [10] which is solvable then q is quadratic residue mod N otherwise q is quadratic non-residue N. In, 1985 Tahar Elgamal [11] proposed a better public key cryptosystem which was an improvement over Diffie-Hellman [12] key exchange algorithm. In this public-key cryptography, security depends upon the hardness of discrete algorithms over finite fields. In discrete algorithm, consider a prime number p. let α and β be integers which cannot be divided by p then find x such that α x ≡ β (modp). Dense probabilistic encryption by Benaloh [13] is a homomorphic encryption scheme over addition operator with an improved expansion factor as compared to Goldwasser-Micali. The proposal was based upon higher residuosity problem [14] x n as compared to quadratic residu- osity problem, which is x n in GM cryptosystem. Benaloh approach has a homomorphic property which shows that encrypted text multiplicative operation is the same as plain text addition operation. As encryption was applied after messages were added, encrypted messages Enc(m 1 ) and Enc(m 2 ) may be directly assessed. As a result, one can deduce that Benaloh's method was additive homomorphic. Paillier [15] in 1999 proposed a trapdoor approach compared to prime residuosity, Paillier approach was based upon composite residuosity classes, which believed to be kind of boon to public-key cryptosystems. Initially, the nature of Paillier cryptosystem allows addition operation over encrypted data but later improvements in the approach proved that multiplications can also be performed over encrypted data. There are other partial homomorphic schemes [16][17][18] that were based upon previous work by Elgamal, Benaloh and Paillier, which improves computational performance while maintaining homomorphic property. In [19], due to hardness of the lattice problems, the author, proposed homomorphic cryptosystem with addition operation over vast cyclic group. Authors called their proposed scheme's homomorphic attribute pseudohomomorphic. Galbraith [20] proposed a more natural generalization of Paillier's cryptography approach, which he applied to elliptic curves while keeping the Paillier's cryptosystem's additional homomorphic property. Various partial homomorphic encryption (Table 2) approaches are compared based upon encryption, decryption, hardness, and homomorphic property.

Somewhat homomorphic encryption schemes
SWHE schemes [22][23][24][25][26] support an arbitrary number of operations, but with each operation, a noise is generated and after a limit the underlying encrypted value is lost. As a result, SWHE systems support arbitrary operations but only for a finite number of times. Each addition operation increases noise and every multiplication operation causes noise to multiply. SWHE is a unique but not complete solution like fully homomorphic encryption. FHE supports an unlimited number of arbitrary operations over ciphertext. Boneh-Goh-Nissim [23] proposed a semantically safe technique for adding and multiplying encrypted data. It supports an arbitrary number of addition with a single multiplication operation on ciphertext with a specified length. BGN enables evaluation of quadratic formulas over ciphertexts, i.e., 2-DNF (Disjunctive Normal Form). BGN approach hardness was dependent upon the subgroup decision problem [27], which states that whether a given element g 1 of a finite group G is a member of subgroup G 1 . Yao [22] study is an early effort for performing functions operations on the ciphertext. As a solution to the Millionaires' Problem, Yao developed a two-party gcd(x, n) = 1} such that where function L (Lagrange function) Private Key (Decryption): Name of Algorithm Homomorphic property [21] Enc(m communication protocol, which compares the wealth of two wealthy persons without disclosing the precise amount. Furthermore, in this approach, the ciphertext size grows linearly at a minimum as every gate in the circuit is computed. Yuval Ishai and Anat Paskin (IP) [24] proposed a scheme based upon a branching program evaluation on encrypted data. In [26] author proposed first SWHE scheme over a semi-group and NC1 is a complexity class covering circuits with poly-logarithmic depth and polynomial dimension. With one OR/NOT gate, the suggested technique allowed for polynomially many ANDing of ciphertexts. With each multiplication size of ciphertext increases.

BGN scheme
Key generation: Consider C G and C G 1 as multiplicative cyclic groups of order n with n = q 1 q 2 . let g be a generator of C G with e : C G × C G → C G 1 is a bilinear map, public key is Encryption: Decryption: Homomorphic Property under addition: Where, r 1 + r 2 + r = r Homomorphic property under multiplication: Consider g 1 and h 1 with order n and q 1 , respectively. set g 1 = e(g, g) and with r = msg 1 r 2 + r 2 msg 1 + αq 2 r 1 r 2 + r ,uniformly distributed in Z and ciphertext is uniformly distributed in C G 1 instead of C G .

Fully homomorphic encryption schemes
An encryption scheme is fully homomorphic if it supports two operations, i.e., addition and multiplication, an infinite number of times over encrypted data. Ciphertext contains noise that increases with operations in all the fully homomorphic encryption schemes. In particular, a multiplication operation increases more noise than an addition operation. The noise level gets too high at a certain threshold, preventing additional homomorphic procedures from resulting in accuracy. At this point, a refreshing procedure is required, which makes the performance highly unsatisfactory.

Preliminaries for FHE
In this section, the FHE scheme is classified into four categories (Fig. 5). These advanced cryptographic approaches act as preliminaries for fully homomorphic encryption schemes. A review of research papers based on these criteria is also conducted.

Lattice-based cryptography
Lattice-based cryptography is an advanced cryptosystem. It holds first place in the advanced post-quantum cryptosystem, i.e., Cryptography based on lattices is thought to be safe against superfast quantum computers. Lattice-based cryptosystems are based upon hard problems like Shortest Vector Problem to find the shortest non-zero vector in the lat and Closest Vector Problem with the goal of finding the closest lattice vector with the given vector. In n-dimensional space, a lattice is any regularly spaced grid of points. Formally,n independent vectors known as basis of the lattice b 1 , b 2 , b 3 , . . . ,b n are generated as a set of vectors In 2009 Gentry [3] proposed a fully homomorphic encryption scheme, which was the first fully homomorphic encryption scheme. The solution comprises three steps. In the first step it provides general result that can evaluate its own decryption circuit i.e. bootstrappable . In the Second step, a public key encryption approach was suggested. This approach uses the concept of ideal lattices with having a bootstrappable property. It is represented as the lattice FHE technique that allows both homomorphic addition and multiplication computations on encrypted data. Former HE approaches provide either of the two operations as in Table 2; therefore, those schemes were partial homomorphic. The challenge of FHE is noise which increases as number of homomorphic operations increase. If the noise becomes too large, it becomes challenging to decrypt correctly. Gentry's approach is somewhat homomorphic (SHE) which means it can handle homomorphic operations up to a limit and to make it for unlimited operations ciphertext needs to be refreshed using bootstraping procedure. This procedure is a recrypting process, and inefficient. Initially, the encryption was bitwise, meaning that each bit of data was encrypted independently, and the result was ciphertext. Bit addition and multiplication (modulo 2) correspond to XOR and AND bitwise operations, allowing any Boolean circuit to be evaluated, i.e., any calculation to be done by first defining the computation in XOR and AND gates. However, immediately breaking down a calculation into bit operations results in complex and deep computation circuits, which SWHE cannot handle and requires encryption, i.e., Bootstrapping.

Bootstrapping and squashing
If a scheme is homomorphic enough to evaluate its circuit of decryption, it can be transformed into fully homomorphic encryption capable of evaluating any function. High computation on encrypted data results in high noise. It is necessary to refresh encrypted data regularly, but this must be done without needing a secret key, which is accomplished by bootstrapping. Bootstrapping is a self-reliant process that progresses without external help. Suppose SWHE can handle a circuit up to a certain threshold depth, D. If the augmented decrypt circuit has depth ≤ D, then the system is bootstrappable, i.e., the ciphertext can be refreshed through recryption. The idea behind recryption is: Consider two secret key pairs. (sk 1 , pk 1 ) and (sk 2 , pk 2 ) and Decr ypt E (sk 1 , Encr ypt E ( pk 1 , m)) = m for message say m and same for second pair. Suppose E is homomorphic with respect to decryption circuit. Encryption of sk 1 under pk 2 will be Encr ypt E ( pk 2 , sk 1 ). Encryption of initial ciphertext with public key pk 2 : Encr ypt E ( pk 2 , Encr ypt E ( pk 1 , m))

Consider
Decr ypt E (Encr ypt E ( pk 2 , sk 1 ), Encr ypt E ( pk 1 , m)) = Encr ypt E ( pk 2 , m) and it is to be done bitwise. In this way inner encryption is removed by creating a newly encrypted ciphertext with pk 2 and the scheme can homomorphically evaluated.
Decr ypt E (sk, c 1 ) + Decr ypt E (sk, c 2 ) or, Bootstrapping is valid in decryption algorithms with lesser circuit depths. But if the circuit depth is high, bootstrapping is not possible due to performance issues. As a result, an improved technique is applied known as squashing, which reduces decryption algorithm complexity. According to this scheme, initially, a set of vectors are selected. The sum of these vectors is the same as the multiplicative inverse of the private key. Set elements are then multiplied with the encrypted text. As a result, polynomial degree of the circuit is reduced to an acceptable level. Retrieving private keys depends upon the assumption of SSSP (Sparse Subset Sum Problem) mentioned in [28]. Craig Gentry and Shai Halevi [29] proposed an FHE scheme that is hybrid of SWHE and MHE, i.e., Multiplicative homomorphic encryption. The approach still depends upon bootstrapping step, but it avoids squashing as it does not rely on the assumed hardness of SSSP. A new method in which sparse subset sum problem was replaced with Decision-Diffie Hellman [30]. This approach additionally substitutes MHE with AHE (additively homomorphic encryption), which encrypts discrete logarithms and creates a leveled FHE whose difficulty is determined by the shortest independent vector problem over ideal lattices [31]. At PKC 2010, a modified Gentry's fully homomorphic public-key encryption scheme was presented by Smart and Vercauteren [32] that can support SIMD style operations. Gentry and Halevi followed the slow key generation process of smart and Vercauteren but still lacks SIMD style operation. A realization of achieving Single instruction multiple data operations using homomorphic evaluation of AES was given by smart and Vercauteren in 2011. BDDD, i.e., bounded distance decoding problem for somewhat homomorphic, ensured the encryption scheme's security and sparse subset sum problem for bootstrapping procedure.

Integer-based FHE schemes
A SWHE was presented [33] based upon integers with the hardness of algorithm depending upon Approximate Greatest Common Divisor problem [34]. Although the scheme was symmetric, It was also demonstrated basic symmetric homomorphic encryption technique that may be transformed to an asymmetric homomorphic encryption technique [33]. At Eurocrypt 2013, an extended version of fully homomorphic encryption over integers was presented with batch FHE scheme over integers [35].Using the renowned Chinese Remainder Theorem, the DGHV method was extended by packing l plaintexts m 0 , m 1 , · · · , m l into a single ciphertext. It allows not only encrypting bits but also elements from rings of the form Z Q . There are also some additional FHE schemes proposed over integers. A novel FHE over integers that is scale-invariant [36], an approach with integers plaintext [37], a symmetric FHE scheme that does not require bootstrapping [38], a SWHE method for performing arithmetic operations on huge integer values without converting them to bits [39]. In their names imply, all of these approaches enhanced FHEs over integers.

Learning with errors
Learning with errors (LWE) is a key concept that serves as a building block of advanced cryptographic algorithms. LWE is a generalization of LPN (Learning parity with noise) problem. LWE can be thought of as two sub-problems closely related to each other. Search LWE and Decision LWE. LWE is a powerful cryptography tool as its hardness is the same as lattice problems, i.e., shortest vector problem and closest vector problem.
Consider a matrix with n rows and m columns with uniform random entries from space of integers modulo q. let Z be a vector of length n with uniform random entries from the same space and let b be a vector of length m with entries drawn from χ distribution. Compute s (all arithmetic operations are performed mod q) In [40] the hardness of worst-case lattice issues was decreased from SVP to LWE problems, implying that if an algorithm can solve the LWE problem in an acceptable period, it can also solve the SVP problem. In [41] a significant improvement to the LWE problem by developing the ring-LWE (RLWE) problem was proposed, which leads to new applications. It was also proved that RLWE issues could be reduced to worst-case problems on ideal lattices, which polynomial-time quantum algorithms struggle to do. Another practical RLWE [42] to obtain an FHE scheme was proposed which, employs Gentry's squashing and bootstrapping techniques. Polynomial-LWE (PLWE), a simpler variant of RLWE, was employed. PLWE can likewise be reduced to worst-case scenarios like SVP on ideal lattices. To reduce the noise growth concerning each operation, Brakerski, Gentry, and Vaikuntanathan introduced a leveled homomorphic encryption approach [43]. The growth of the noise is linear in contrast with the multiplicative depth of the circuit. The scheme was based upon a modulus switching technique known as the BGV scheme. BGV scheme was also used with AES to perform homomorphically in [44], but it requires different versions of public key, thus requiring a large amount of memory machine. Brakerski proposed a new approach invariance, at Crypto 2012 for leveled for leveled homomorphic encryption schemes. In contrast to modulus switching, ciphertext retains the same modulus throughout the homomorphic evaluation. As s result, just a single copy of the scale-invariant evaluation key must be maintained. In [46] Brakerski's FHE scheme transformed from LWE to RLWE with detailed analysis of various subroutines, including multiplication, bootstrapping, and relinearization. No implementation of this scheme is available, but there is a proof-of-concept execution in computer algebra system which is used in [47]. In [48], a relinearization technique was introduced that obtains a SWHE without requiring hardness assumption on ideals. A dimensional-modulus reduction was also presented with the goal of converting SWHE to FHE without using the squashing and SSSP. Other schemes are based upon Learning with Error problem. In previous LWE schemes multiplication step was complicated and expensive due to relinearization but in [49] author suggested a novel approach for FHE, i.e., approximate eigenvector method. All addition and matrix operations in this approach are through matrices resulting in an asymptotically faster approach and easier to understand. The relinearization step was eliminated, and matrices were added and multiplied simply.

NTRU-based FHE scheme
NTRU-based encryption is an old encryption technique proposed by [50] in 1998. NTRU was the earliest encryption attempt on lattice problems. In [51] author uses on-the-fly MPC in which each user is involved in sending encrypted data to the cloud and decrypting, i.e., when outputs are received. A new type of encryption was used, i.e., multikey FHE with the capability of operating on inputs that are encrypted under multiple different and unrelated keys. The multikey FHE scheme was based upon NTRU, an efficient publickey encryption scheme. Although initially, NTRU was not fully homomorphic, transforming it into fully homomorphic reduces its efficiency but increases its capability. However, an additional assumption related to public key uniformity is needed, known as decisional small polynomial ratio (DSPR) assumption. This additional assumption is avoided by Stehle and Steinfield [52] and a secured FHE scheme was proposed [53] under RLWE with circular security assumptions only. A FHE technique was proposed based on the power-of-prime cyclotomic [54] ring. The method is based on the RLWE assumption does not need the use of the DSPR (decision small polynomial ratio) assumption. The approach's efficacy leads to improved noise control, resulting in improved ciphertext storage, computation, and communication. In table 3, important FHE schemes based on their category and hard problem used are classified.

Homomorphic encryption libraries
Research in HE has resulted in effective, freely accessible HE libraries and software. Custom implementations require a high level of programming and cryptography skill since noise should be carefully controlled to preserve accuracy upon decryption, and security settings must be explicitly specified. Table 4 gives an overview of the implementations, including the software's name, inventor, language, license, and a brief synopsis of the schemes implemented.
This section covers all homomorphic approaches beginning from PHE followed by SHE and FHE approaches. All these approaches based upon various factors like hard problems, nature of homomorphism are compared. FHE systems are also categorized, and they have improved and changed through time. Finally, the technique and programming language utilised in HE-implemented libraries are compared. The publications on homomorphic encryption that are explicitly focused on healthcare data are explored in the next section.

Homomorphic encryption in healthcare
In the healthcare industry, patient health records are referred to as Electronic health records (EHR), a digital record of a patient's medical history kept by hospitals or health care providers. It includes clinical data, demographics, medical history, and medical reports. Electronic health records (EHRs) are official health information records generated by any healthcare provider. Digitizing patients' health care information is likely to improve the quality of care and effectiveness and reduce costs. It also facilitate the access of patients' healthcare records whenever and wherever possible. The main goal of EHR's is to reduce the communication gap between health care providers for a better quality cure and that too with reduced costs. However, Electronic health records (EHRs) contain a large amount of sensitive data, which is not only accessible to the doctor but also accessible to several different sources like insurance companies and staff members, so effective management of electronic health records is essential for concerns related to data security. The three fundamental and main goals of security is (CIA), i.e., Confidentiality, Integrity, and availability.
• Confidentiality: Only an authorized person should have access to the information. • Integrity: Information should be correct, and an unauthorized person should not alter it. • Availability: Information should be accessible, available, and usable at any time but only by an authorized entity.
A shared EHR comprises a complex and challenging layout of sensitive data, including laboratory tests, patient demographic information, medical history, radiology records like ECG, X-RAYS, and CTs. There is a requirement for a complete secured model that should meet the terms and conditions of legal and regulatory bodies. A secure model ensures access to sensitive information limited only to those entities who have a justifiable need-to-know privilege assigned by the patient. Sometimes, a patient chooses to deliberately hide his health information related to an HIV/AIDS treatment unless and until a specific treatment alternative is included. Therefore, it is necessary to have a simple, reliable, efficient, and secure mechanism in which patients can quickly authorize the number of medical affiliates for accessing their full or partial sensitive information. There are various techniques for data protection, including pseudonymisation and anonymization. Both of these techniques can be used to protect the individual's health record.
Anonymisation is the processing of data to prevent identifying the person to whom it belongs permanently. Anonymized data never allow the identification of an individual to whom it belongs. It is not even possible that any person could be Approximate-GCD problem [49] Approximate Eigen vector method known from the data by any advanced processing of the data. On the other hand, Pseudonymisation replaces any identifiable characteristics of data with a pseudonym. The only difference between pseudonymization and anonymization techniques is that it is possible that an individual can be identified by analyzing the related data in pseudonymization. In various cases, it is not possible to use an anonymization technique either because of the nature of data perspective. Pseudonymized data are very much suitable for processing and analyzing. However, anonymizing data while maintaining its value is a complex undertaking due to the inclusion of quasi-identifier components other than direct identifiers (e.g., name, address) that may be used alone or in conjunction with other data to re-identify it. The most common problems associated with Electronic health records are privacy, security, and confidentiality. Privacy of digital health records can be achieved in three different ways: Acquisition, Storage and Computation. Although first two are achievable, but the third condition, i.e. computation, also needs to be addressed to get complete privacy. There exists no system to enable processing in the cloud with privacy. FHE permits computation on encrypted data in the cloud. Various approaches satisfy homomorphic property on medical data. Multiple approaches are studied from 2009 till 2021 and focused on preserving patient privacy using homomorphic encryption. All of these approaches will be presented in the remaining parts of this section.
A decentralized system was proposed in [71] that authenticate users using verifiable attributes while maintaining attribute and identity privacy. Furthermore, an authentication system was designed with progressive privacy constraints in diverse interactions among involved entities. In [72]author has described a cloud-based approach using FHE to review ECG. Authors formulated FHE as the core of this idea and identified challenges to make it possible for ECG-Monitoring. Data obtained from THEW [73] standard ECG database that contains data of 24 hrs and took average heart rate calculation. Acquisition devices are capable of transferring data in AES format wirelessly. Encrypted data will only be stored in the cloud. However, to operate on some of the data, AES encrypted data first must be converted into FHE encrypted format. AES to FHE conversion done by the method described in [44]. Implementation was done with two algorithms one was gentry's original [3] FHE  [ 53] cuYASHE is the first GPGPUs implementation of the YASHE levelled fully homomorphic technique. To achieve significant speed increases, this library uses the CUDA platform and several algebraic techniques such as CRT, FFT, and polynomial and modular reduction optimizations scheme, and the other was BGV [43] scheme. In gentry scheme, recryption operation was costly and took 99.9% more time than homomorphic addition and multiplication. In BGV implementation, recrypt operation is avoided by defining multiplicative depth.
In [74], author presented an approach that predicts heart attack probability based upon few body measurements. They use a client application that collects health data and sends it in encrypted form and used Microsoft Windows Azure cloud service. A practical variant of a homomorphic encryption scheme was used. The method works with a ring where n is a power of 2, implying that polynomials with integer coefficients of degree less than N are the objects.

R= Z[ X ]
X n +1 Specifically plaintexts as well as ciphertext are all polynomials. An element x ∈ R has the form  [75], FHE encrypted ECG data are uploaded from a patient to the cloud for detecting LQTC (Long QT Syndrome). Cloud will receive two values, QT and RR. These values are encrypted homomorphically at the patient's end. Initially, recordings are taken from THEW database [73], and then patient QT c is computed homomorphically as QT c values are then compared with threshold value of 500ms.

f (QT , R R) = [QT 3 > (500) 3 (R R/sec)].
After converting this equation into matrix, its performance is evaluated by comparing the Naive and Matrix approach results and found that the matrix approach is consistently more efficient than naive approach by a factor of 20. As in the naive approach, the depth of computation is higher, and cost increases with depth. A secure computation [76] in personalized medicine using Paillier cryptosystem [15] was proposed, which allows a personal mobile device with sensitive data to compute tests (e.g., Warfarin dosage) while keeping personal data and test specifics private. Details of a partial implementation of this protocol were also revealed. In [77] author used the BGV [43] scheme and its practical implementation HElib [55] for calculating average heart rate, calculation of minimum and maximum heart rate, and detection of LQTS (Long QT Syndrome). As BGV scheme uses leveled FHE which eliminates expensive recryption operation. Leveled FHE uses a better technique for handline noise, i.e., modulus switching. In this scheme, plain texts are represented as polynomial rings G F( p d with p as a prime number, i.e., the range of polynomial coefficients and degree d of the polynomial. As plaint text are represented with polynomial rings which allow multiple message packing by partitioning them into independent slots [32] resulting into SIMD Single Instruction Multiple Data fashions. The authors [78] developed evaluation techniques to compute securely over minor allele frequencies (MAF) and the χ statistic in genome-wide association studies. It was also explained how to calculate the Hamming distance and Edit distance between encrypted DNA sequences safely. Finally, the performance of two widely used homomorphic encryption algorithms [44] and [53] were examined. Another approach [79] proposed a data division homomorphic encryption scheme in wireless sensor networks. The algorithm divides whole data into two or three parts for safer communication and data storage. Forwarding nodes within the network upload encrypted sensor data without the actual need of decrypting it. In a worse case, if the forwarding node is attacked, the attacker will not eavesdrop original data. The algorithm is divided into five phases: data preprocessing, encryption, data transfer, data fusion, and decryption. Consider D as the sensed data and N as a random integer. The data division scheme will divide the data into D/N , N . It is both additive and multiplicative homomorphic as shown in equation 1 and 2.
In [80], author proposed a fully homomorphic encryption algorithm for encrypting and decrypting medical images. It uses DICOM as the input image. They analyzed keyspace analysis, correlation analysis, histogram analysis, key sensitivity analysis, P SN R, M SE and noise analysis. The author divided the whole process into fifteen steps. They used a probabilistic algorithm for a key generation as well as for encryption described in, and a deterministic algorithm for decryption [81]. This scheme supports unlimited additions (Eq. 4) and limited multiplications (Eq. 5) and uses a probabilistic algorithm for a key generation as well as for encryption and a deterministic algorithm for decryption. Perfect encrypted image results into uniform distributed histogram image according to histogram analysis of image pixel distribution was uniform. Larger PSNR values were identified, and in correlation analysis between two adjacent pixels, it was concluded that the algorithm provides good security.
In key space analysis, 150−bit size key is considered, which has total 2 150 values. Key size is sufficient, which is not affected by brute force attacks.
Homomorphic property: M 1 and M 2 are plain texts and C 1 and C 2 ( equation3) as respective ciphertexts. Parameter S 1 and S 2 are two small positive integers and B 1 and B 2 are big random positive integers. P and Q be two big prime numbers with P >> Q.
where a is any random number under P Multiplicative Homomorphism: Additive homomorphism: Another approach [82] performs privacy-preserving linkage of records in healthcare sectors. A secondary contribution of this research is the creation of an API for the El-Gamal cryptosystem [11] that enables for the use of the cryptosystem's multiplicative homomorphic feature. In [83] a secure privacy-preserving data aggregation technique was developed using a Bi-linear ElGamal cryptosystem and aggregate signature. According to security analysis, the proposed system protects data confidentiality, authenticity, and privacy while also resisting passive eavesdropping and replay assaults from malicious adversaries. Because of the use of privacy homomorphism, this approach can be implemented in a cloud-assisted Wireless Body Area Network (WBAN). The [84] solution is built on the hybrid framework Chimera, which allows migration between distinct families of fully homomorphic schemes TFHE [58] and HEAAN [57]. It was the only bootstrapped solution in idash 2018 competition that may be used for a variety of parameters without requiring a recryption of the genomic database In [85] author proposed and implemented an optimized NTRU-based homomorphic encryption scheme resulting in much slower growth of noise. The encryption scheme includes d as degree of number field, modulus q,σ k and σ c is standard deviation of discrete Gaussian error distribution in key and ciphertext space, λ is the security level that can be 80 or 128 bits. There is a bit decomposition function B D() BD(integer) takes a l− bit integer and output bit decomposition of integer as a row vector of size l. BD ( polynomial) with input as n being polynomial size with l bit integer as each coefficient and outputs l × n. BD(Matri xo f Polynomials) with input as polynomial matrix of size x × y and outputs a matrix of size x × yl. There is also bit decompose inverse function B DI which is an inverse of B D.
KeyGen(1 λ ): consider two polynomials f 1×1 , g 1×1 ← D Z n ,σ k with condition f is invertible in ring R q and f ≡ 1(mod2). Public key p k and secret key s k can be computed as: Decrypted ciphertext can be reformulated as l × 1 polynomial vectors (Eq. 6) like μ f , 2μ f , · · ··, 2 l−1 μ f along with some error vector. In [86] author uses the medical cyberphysical system to target remote health monitoring system for patients that sends ECG data from patient's home to the cloud. Patient data is encrypted using Paillier [15] and BGV [43] scheme. Paillier scheme is used to detect Average heart rate as it is only additive homomorphic, but BGV is used to detect LTQS (Long QT syndrome). THEW [73] (which is 24 − hour anonymized ECG recordings of real patients), with a sampling rate of 1000 Hz. 128-bit security  [86] technique, less computation is required to detect LQTS due to efficient l-bit comparator, which requires just one homomorphic multiplication with l-Xor operations The communication cost of computing average heart rate is reduced since only one ciphertext is provided to the receiver, as opposed to two ciphertexts containing the cumulative total and number of samples in Kocabas approach [86] With security parameters ranging from 200 to 400, the implementation time for detecting long QT Syndrome has been significantly reduced. When computing average heart rate, the overhead of ciphertext is also decreased [89] El Gamal [11] Discrete Logarithms More computation time is required. In comparison to delays caused by a lack of learning from real-world events, computing time is insignificant. Patients and doctors will be more likely to engage in research if they know the data from their health records will never be decrypted, resulting in faster learning owing to improved statistical power for recommending encrypted data was used. LQTS implementation was compared based on bit-length of toc values in the dataset. Encryption and Decryption time using both Paillier and BGV is almost the same, but when it comes to evaluation Paillier becomes 3100 × faster. However, Paillier is a partial homomorphic scheme, i.e., only additive homomorphic. In [87] author proposed a four-layer architecture of the mobile health network, including wearable area, preprocessing area, cloud server area, and physical diagnosis area, followed by safe average heart rate calculation, long QT syndrome, and chi-square detection. Dowlin's protocol is used to determine the average heart rate and long QT syndrome and uses chi-square tests to check the relation between varicose veins and overweight patients. Dowlin FHE scheme [88] consists of: n as security parameter=2 k where k ∈, q is large prime number with qmodn ≡ 1, t is small plain text modulus where 1 < t < q, χ key and χ err are randomly chosen from ψβ,params=(n,q,t, χ key and χ err ) In [89], author demonstrated efficient use of homomorphic encryption for computing aggregate queries on ciphertext and also provides confidentiality of aggregate-level data from i2b2 data model. A privacy-preserving data sharing approach based upon El Gamal cryptosystem [11] which is additive homomorphic. It includes three phases, first is Initialization Phase to generate public and private keys for EL Gamal Cryptosystem followed by ETL Phase for encrypting i2b2 aggregate-level. After that, there is a Querying Phase. A query can be generated after, the encrypted data are stored on the storage server. With every query fresh temporary pair of keys are generated. After receiving the query, the server fetches the records encrypted under the public key and uses the crypto engine for homomorphically aggregating them. It also includes an interactive two-party encryption protocol with a proxy server for switching encryption of results. In [90], a SafeBioMetrics system architecture was proposed that enables secure cloud storage and processing of medical data using BGV [43] fully homomorphic encryption scheme.
The Polar H7 device was applied as an experimental population sample to 45 individuals, and additionally dataset of 500 patients was used to detect DRHS (Delayed Polarization of Heart Syndrome) medical condition. Another i2b2 data privacy and security approach were proposed [91]. Privacy solution is integrated on top of the i2b2 framework using homomorphic encryption and differential privacy. Proposed solution was based upon Fan and Vercauteren cryptosystem [46], which is lattice based leveled homomorphic scheme with RLWE (Ring Learning with errors) enabling privacy based queries on the genomic data. The implementation of genomic cohorts in a real-world scenario took place at a hospital. Performance was evaluated with 707 MB of data that includes nearly 18.5 crore genotypes with each genotype of 4 bytes. The BGN [23] homomorphic cryptosystem has been used [92] as a cloud-based online medical prediagnosis approach that is both efficient and private. It enables the system's online prediagnosis function, which may instantly be executed on the ciphertext. In [93], a medical encryption algorithm was proposed based upon elliptic curve cryptography combined with homomorphic encryption. Traditional ECC was expensive due to inversion operation, which is ignored in its improved version. The effectiveness of the algorithm was verified upon two medical images which show better keyspace and higher key sensitivity.
In [94], a privacy-preserving query model system was proposed, and put into use in a real-world medical side effect inquiry system. To reduce the size of database, a filtering technique was applied before query model deployment. Multi-threading was used for fast searching. The effectiveness of the approach was verified 10,000 times with a random query, using a database including 40,000 records of simulation data. Nearly about 99% of the queries are completed within 60 s. In [95], homomorphic encryption by Fan and Vercauteren [46] was implemented using R language on a simulated dataset of 5000 cancer patients with a security level of 128 bit. Identification of exceptional survivors is made with the identification of total drug exposure.
In [96] study adds security mechanisms into the architecture of a patient-oriented edge-cloud-based healthcare system. For secure processing and filtering of insensitive data processing in the edge layer, an edge-level additive homomorphic encryption is presented. In [97], using contrast-enhancement RDH and homomorphic encryption, a safe and high-visual-quality framework for medical pictures was created. The proposed algorithm was homomorphic encryption based upon a chaotic map. It was a partial homomorphic scheme with the additive homomorphic property. The correlation between encrypted and marked photos is found to be lower, as well as the unpredictability in encrypted images is fairly high. It implies that the proposed encryption approach can enhance image security by safeguarding image content. In [98], proposed a computational model and developed an algorithm for contract tracing with COVID-19 pandemic. The proposed algorithm was simulated using ElGamal [11] encryption algorithm. Simulation was done using a synthetic spatiotemporal geolocation dataset. It was generated with timestamped locations. It consists of all location-oriented information for more than 24 h. It also includes ten COVID-19 positive patients and one querying person. It covers region 400 K m 2 within 24 hrs duration. Threshold distance of 2 m and Threshold time duration of 15 min with a threshold time difference of 12 h. According to simulation findings, the proposed approach effectively ensures security while also meeting the computing requirements for contact tracing. MHE allows for flexible, secure processing by seamlessly switching between HE-encrypted local computation and interactive protocols (SMC). It can be used to determine the most efficient strategy for each phase in a workflow, making use of one technique's features to avoid the bottlenecks of the other. A self-serviced medical diagnosis system based upon homomorphic encryption (HE) and privacy-preserving access control was described [99], which may protect patient medical health data while keeping hospital diagnosis mode secret. Following a thorough security investigation, it was discovered that the scheme could withstand a variety of known security risks. To [100] handle medical data privacy problems in smart health, the author tackled two major issues in the adversarial model. First, it created Derepo to decentralize access control and encryption of data without losing computability. Static structures and dynamic processes are formalized as part of the doublelayered architecture. Internal and external adversaries pose privacy problems. Thus the FHE method is employed to maintain secrecy and handle them. The author classifies data-sharing models into three groups and examines the major technical difficulties faced. Medical sites (i.e., data providers) that are willing to share data must pool their individual-level patient data into a single repository under the centralized approach. Unlike the centralized data-sharing approach, the decentralized model does not necessitate the physical transfer of patient-level data from medical locations' IT infrastructure. For calculating average heart rate, computing minimum and maximum heart rates, and detecting LQTS, the author [101] employed the BGV [43] scheme and its practical implementation HElib [55]. Because the BGV system employs leveled FHE, it avoids the need for a costly recryption procedure. For handline noise, leveled FHE employs a better technique known as modulus switching. Numerous ways that are primarily concerned with the privacy of healthcare data using Homomorphic Encryption are compared in (Table 5 and Table 6), and it was determined that, despite performance concerns owing to large computation, homomorphic encryption is feasible and important for preserving patient data privacy. In [102], authors introduced a FAMHE scheme, which is a federated analytics system based on mul-tiparity homomorphic encryption that integrates the strength of HE for executing computations on encrypted data without requiring communication between the parties. Safe computing and learning involve combining federated learning approaches with cryptographic frameworks. The technique was demonstrated to provide stringent privacy protection, but the accuracy of the approach was sacrificed in favor of performance. In [103], authors proposed two schemes CTHE ( Carmichael's Theorem-based Homomorphic Encryption) and MEHE (Modified Enhanced Homomorphic Encryption ). The hardness of integer factorization, the discrete logarithmic approach, and quadratic residuosity were employed in both techniques. It also makes use of modulus switching to decrease noise. Although the overall number of computations in MEHE was not decreased, the approach is still superior since it decreases noise without impacting security. In [104], authors presented a privacy-preserving framework CFHET-PPF. It combines three FHE approaches resulting in the prevention of false data injection. It is presented as a way to make it easier for fog nodes to categorize shared data based on illness risks, which is necessary for health data analysis. Because it prevents irrelevant computing during the transmission of sensitive data disseminated in the fog computing environment, it reduces encrypting time.

Conclusion
Privacy of data is essential than ever before in this internet world. Outsourcing applications are in high demand due to the cloud computing revolution. Clients use the service by uploading their data to the cloud, which is then evaluated to get a result. It benefits the consumer and exposes critical data to third-party service providers. Although data are encrypted, the difficulty with encrypted data is that it must be decrypted before being used. As a result of decrypting, it becomes vulnerable to all the things that were trying to secure it. Homomorphic encryption, which processes data while maintaining privacy and security, maybe the greatest solution for this problem in the future. The concept of HE has been around for more than three decades, but rapid development in the subject of fully homomorphic encryption advanced the field swiftly from Gentry's innovative research to today's efficient implementations. Digitizing a patient's medical records is anticipated to increase the quality and effectiveness of care while also lowering expenses. However, because electronic health records (EHRs) include a vast quantity of sensitive data available not just to doctors but also to a range of other sources such as insurance companies and staff members. EHR administration is essential for data security issues. As a result, we surveyed and compared the HE and FHE schemes in this paper. Initially going with the fundamentals of HE, the concepts of Partial Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SHE) were examined, which are prime aspects in achieving Fully Homomorphic Encryption, followed by FHE. FHE approaches were divided into four distinct groups, and significant approaches in each group were compared. Finally, in the domains of healthcare and bioinformatics, HE techniques were retrieved and compared for securely identifying LQTC, cancer, average heart rate, cardiovascular problems, and a secure query generating system in healthcare. Overall, homomorphic encryption will be a boon to the healthcare business as the performance and utility of FHE improve.

Declarations
Conflict of interest On behalf of all authors, the corresponding author states that there is no conflict of interest.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.